Mist users are highly recommended to update in order to keep account integrity when browsing through untrusted Dapps. Ethereum Wallet is not affected. See below.

Some Mist API methods were exposed, making it possible that malicious webpages get access to a privileged interface that could delete files on the local filesystem or launch registered protocol handlers and obtain sensitive information, such as the user directory or the user's coinbase.

Previously vulnerable exposed Mist APIs:

mist.shell

mist.dirname

mist.syncMinimongo

web3.eth.coinbase is now null, if the account is not allowed for the dapp

Upgrade to this version of the Mist Browser. Do not use any previous Mist version to navigate to any untrusted webpage, or local webpages from unknown origins. Ethereum Wallet is not affected as it doesn't allow navigation to external pages.

This is a good reminder that currently Mist is considered only for Ethereum App Development and should not be used for end users to navigate on the open web until it is reached at least version 1.0. An external audit of Mist is scheduled.

We'd like to thank the vulnerability discoverer Tintinweb for his responsible disclosure and remind everyone that we have a bounty program at bounty@ethereum.org